25 matches found
CVE-2026-53943
The CVE-2026-53943 entry describes a Ghost CMS vulnerability where, on sites behind a shared caching layer, an unauthenticated user can send an x-ghost-preview header that poisons cached responses, altering rendered frontend output. In affected configurations, this cached, request-specific previe...
CVE-2024-13146
The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack...
CVE-2024-13146 Booknetic < 4.1.5 - Staff Creation via CSRF
The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack...
CVE-2024-13146
The CVE-2024-13146 entry concerns the WordPress Booknetic plugin (pre-4.1.5) lacking CSRF protection when creating Staff accounts, enabling a logged-in attacker to add arbitrary Staff members via CSRF. Affected: Booknetic WordPress plugin versions prior to 4.1.5. Root cause: missing CSRF check on...
MAL-2024-3051 Malicious code in staff-account (npm)
False positive caused by problematic ingestion. --- -= Per source details. Do not edit below this line.=-...
CVE-2024-26492
An issue in Online Diagnostic Lab Management System 1.0 allows a remote attacker to gain control of a 'Staff' user account via a crafted POST request using the id, email, password, and cpass parameters...
PT-2024-21406 · Unknown · Online Diagnostic Lab Management System
Name of the Vulnerable Software and Affected Versions: Online Diagnostic Lab Management System version 1.0 Description: The issue allows a remote attacker to gain control of a 'Staff' user account via a crafted POST request. The attacker can exploit this by using the id, email, password, and cpas...
Malicious code in @zettle-bo/staff-account (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e6890c2d23d73e43eaf40b3d6435083b993f77894876b67b4a2ea41c9a223f3d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2021-46075
A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations...
Privilege escalation
A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations...
Shopify: Undocumented `fileCopy` GraphQL API
Impact A malicious staff account with no permissions can copy other store file assets to current store, which they have no access to. Details So the story as follow A malicious staff member jackmccracken on storeA.myshopify.com wants to upload a file on the store but could not, due to permissions...
Shopify: increased privileges on staff account
staff on partners without a store management permit can have access to the collaboration shop steps for reproduction 1. Invite staff to partners without store management permission 2. accept the invitation and the staff has become a member of the partner 3. On the staff account, try to access the...
Shopify: Ability to link a Google account to another staff account/store owner that isn't linked yet
The https://pos-channel.shopifycloud.com/graphql-proxy/admin endpoint allows us to update a staff email address that is having a Shopify ID. Taking that into consideration, if a store is setup to use Google Apps as login service and if a staff/store owner hasn't yet linked his account to a Google...
Shopify: Order notifications being sent for a deactivated staff account
Hi, Steps to reproduce : - - Have a staff account with settings permission - The staff account can go to notifications & add himself so as to get new order notifications - Now,deactivate the staff account via the admin. - Create a new order,you shall see that the staff still receives the order...
Shopify: race condition in adding team members
The researcher reported a race condition when adding new staff members that would allow bypassing the staff account limit for all plans. We fixed this issue by adding an exclusive lock around the account creation process. Note: Shopify no longer accepts reports regarding race conditions bypassing...
Shopify: Able to Login deactivated staff account in shopify app mobile
Hi Shopify, Deactivated staff account is able to login in shopify mobile app. STEPS 1. Login your owner account 2. Go to Staff Accounts and deactivate your staff account 3. Login to your staff account in your shopify mobile app As you can see you were able to login even the staff account was...
TheHostingTool 1.2.2 Cross Site Request Forgery
Date: Mon 12 Jul 2010 01:19:52 PM EEST Vendor: http://thehostingtool.com/ Download: http://thehostingtool.googlecode.com/files/THT-v1.2.2.zip --- -= CSRF PoC 1 - Create Staff Account =- TheHostingTool 1.2.2 Multiple CSRF Vulnerabilities - Create Staff Account -= CSRF PoC 2 - Delete Staff Account ...
TheHostingTool 1.2.2 - Multiple Cross-Site Request Forgery Vulnerabilities
Date: Mon 12 Jul 2010 01:19:52 PM EEST Vendor: http://thehostingtool.com/ Download: http://thehostingtool.googlecode.com/files/THT-v1.2.2.zip --- -= CSRF PoC 1 - Create Staff Account =- TheHostingTool 1.2.2 Multiple CSRF Vulnerabilities - Create Staff Account -= CSRF PoC 2 - Delete Staff Account ...
TheHostingTool 1.2.2 - Multiple Cross-Site Request Forgery Vulnerabilities
TheHostingTool 1.2.2 - Multiple Cross-Site Request Forgery Vulnerabilities Date: Mon 12 Jul 2010 01:19:52 PM EEST Vendor: http://thehostingtool.com/ Download: http://thehostingtool.googlecode.com/files/THT-v1.2.2.zip --- -= CSRF PoC 1 - Create Staff Account =- TheHostingTool 1.2.2 Multiple CSRF...
TheHostingTool v1.2.2 Multiple CSRF Vulnerabilities
Exploit for php platform in category web applications =================================================== TheHostingTool v1.2.2 Multiple CSRF Vulnerabilities =================================================== Date: Mon 12 Jul 2010 01:19:52 PM EEST Vendor: http://thehostingtool.com/ Download:...